Python internal API#

gafaelfawr Package#

The Gafaelfawr service.

Variables#

__version__

The application version string (PEP 440 / SemVer compatible).

gafaelfawr.auth Module#

Utility functions for manipulating authentication headers.

Functions#

clean_authorization(headers)

Remove Gafaelfawr tokens from Authorization headers.

clean_cookies(headers)

Remove Gafaelfawr cookies from cookie headers.

generate_challenge(context, auth_type, exc)

Convert an exception into an HTTP error with WWW-Authenticate.

generate_unauthorized_challenge(context, ...)

Construct exception for a 401 response with AJAX handling.

parse_authorization(context)

Find a handle or token in the Authorization header.

gafaelfawr.cache Module#

Shared caches.

These caches are process-global, managed by ProcessContext. The common theme is some storage wrapped in an asyncio.Lock, possibly with some complex structure to allow per-user locking. These services sit below the main service layer and are only intended for use via their service layer (TokenCacheService, LDAPService, and FirestoreService).

Classes#

BaseCache()

Base class for caches managed by a cache dependency.

IdCache()

A cache of UIDs or GIDs.

InternalTokenCache()

Cache for internal tokens.

PerUserCache()

Base class for a cache with per-user locking.

LDAPCache(content)

A cache of LDAP data.

NotebookTokenCache()

Cache for notebook tokens.

TokenCache()

Base class for a cache of internal or notebook tokens.

UserLockManager(general_lock, user_lock)

Helper class for managing per-user locks.

Variables#

S

Type of content stored in a cache.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.cache.BaseCache, gafaelfawr.cache.IdCache, gafaelfawr.cache.InternalTokenCache, gafaelfawr.cache.PerUserCache, gafaelfawr.cache.LDAPCache, gafaelfawr.cache.NotebookTokenCache, gafaelfawr.cache.TokenCache, gafaelfawr.cache.UserLockManager

gafaelfawr.config Module#

Configuration for Gafaelfawr.

There are two, mostly-parallel models defined here. The ones ending in Settings are the pydantic models used to read the configuration file from disk, the root of which is Settings. This is then processed and broken up into configuration dataclasses for various components and then exposed to the rest of Gafaelfawr as the Config object.

Classes#

Config(realm, log_level, session_secret, ...)

Configuration for Gafaelfawr.

FirestoreConfig(project)

Configuration for Firestore-based UID/GID assignment.

FirestoreSettings

pydantic model of Firestore configuration.

ForgeRockConfig(url, username, password)

Configuration for ForgeRock Identity Management server.

ForgeRockSettings

pydantic model of ForgeRock Identity Management configuration.

GitHubConfig(client_id, client_secret)

Metadata for GitHub authentication.

GitHubSettings

pydantic model of GitHub configuration.

LDAPConfig(url, user_dn, password, ...[, ...])

Configuration for LDAP support.

LDAPSettings

pydantic model of LDAP configuration.

NotebookQuota(cpu, memory)

Quota settings for the Notebook Aspect.

NotebookQuotaSettings

Quota settings for the Notebook Aspect.

OIDCConfig(client_id, client_secret, ...)

Configuration for OpenID Connect authentication.

OIDCClient(client_id, client_secret)

Configuration for a single OpenID Connect client of our server.

OIDCServerConfig(issuer, key_id, audience, ...)

Configuration for the OpenID Connect server.

OIDCServerSettings

pydantic model of issuer configuration.

OIDCSettings

pydantic model of OpenID Connect configuration.

Quota(default, groups)

Quota settings.

QuotaGrant(api, notebook)

One grant of quotas.

QuotaGrantSettings

One grant of quotas.

QuotaSettings

Quota settings.

Settings

pydantic model of Gafaelfawr configuration file.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.config.Config, gafaelfawr.config.FirestoreConfig, gafaelfawr.config.FirestoreSettings, gafaelfawr.config.ForgeRockConfig, gafaelfawr.config.ForgeRockSettings, gafaelfawr.config.GitHubConfig, gafaelfawr.config.GitHubSettings, gafaelfawr.config.LDAPConfig, gafaelfawr.config.LDAPSettings, gafaelfawr.config.NotebookQuota, gafaelfawr.config.NotebookQuotaSettings, gafaelfawr.config.OIDCConfig, gafaelfawr.config.OIDCClient, gafaelfawr.config.OIDCServerConfig, gafaelfawr.config.OIDCServerSettings, gafaelfawr.config.OIDCSettings, gafaelfawr.config.Quota, gafaelfawr.config.QuotaGrant, gafaelfawr.config.QuotaGrantSettings, gafaelfawr.config.QuotaSettings, gafaelfawr.config.Settings

gafaelfawr.constants Module#

Constants for Gafaelfawr.

Variables#

ACTOR_REGEX

Regex matching all valid actors (including <bootstrap>).

ALGORITHM

JWT algorithm to use for all tokens.

BOT_USERNAME_REGEX

Regex matching a valid username that is also a bot user.

CHANGE_HISTORY_RETENTION

Retention of old token change history entries.

CONFIG_PATH

Default configuration path.

COOKIE_NAME

Name of the state cookie.

CURSOR_REGEX

Regex matching a valid cursor.

GID_MIN

Minimum GID for groups.

GID_MAX

Maximum gid for groups.

GROUPNAME_REGEX

Regex matching all valid group names.

HTTP_TIMEOUT

Timeout (in seconds) for outbound HTTP requests to auth providers.

ID_CACHE_SIZE

How many UID or GID values to cache in memory.

KUBERNETES_WATCH_TIMEOUT

Timeout (in seconds) for the Kubernetes operator watch operation.

KUBERNETES_TIMER_DELAY

How long (in seconds) to delay timers after startup and changes.

KUBERNETES_TOKEN_INTERVAL

How frequently (in seconds) to validate service tokens stored in secrets.

LDAP_CACHE_SIZE

Maximum numbr of entries in LDAP caches.

LDAP_CACHE_LIFETIME

Lifetime of the LDAP caches in seconds.

LDAP_TIMEOUT

Timeout (in seconds) for LDAP queries.

MINIMUM_LIFETIME

Minimum expiration lifetime for a token.

NGINX_SNIPPET

Code snippet to put into NGINX configuration for each ingress.

OIDC_AUTHORIZATION_LIFETIME

How long (in seconds) an authorization code is good for.

REDIS_BACKOFF_START

How long (in seconds) to initially wait after a Redis failure.

REDIS_BACKOFF_MAX

Maximum delay (in seconds) to wait after a Redis failure.

REDIS_POOL_SIZE

Size of the Redis connection pool.

REDIS_POOL_TIMEOUT

How long to wait for a connection from the pool before giving up.

REDIS_RETRIES

How many times to try to connect to Redis before giving up.

SCOPE_REGEX

Regex matching a valid scope.

TOKEN_CACHE_SIZE

How many internal or notebook tokens to cache in memory.

UID_BOT_MIN

Minimum UID for bot users.

UID_BOT_MAX

Maximum UID for bot users.

UID_USER_MIN

Minimum UID for users.

USERNAME_REGEX

Regex matching all valid usernames.

gafaelfawr.dependencies.auth Module#

Authentication dependencies for FastAPI.

Functions#

verified_oidc_token([context])

Require that a request be authenticated with an OpenID Connect token.

Classes#

Authenticate(*[, require_session, ...])

Dependency to verify user authentication.

AuthenticateRead(*[, require_session, ...])

Authenticate a read API.

AuthenticateWrite(*[, require_session, ...])

Authenticate a write API.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.dependencies.auth.Authenticate, gafaelfawr.dependencies.auth.AuthenticateRead, gafaelfawr.dependencies.auth.AuthenticateWrite

gafaelfawr.dependencies.config Module#

Config dependency for FastAPI.

Classes#

ConfigDependency()

Provides the configuration as a dependency.

Variables#

config_dependency

The dependency that will return the current configuration.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.dependencies.config.ConfigDependency

gafaelfawr.dependencies.context Module#

Request context dependency for FastAPI.

This dependency gathers a variety of information into a single object for the convenience of writing request handlers. It also provides a place to store a structlog.BoundLogger that can gather additional context during processing, including from dependencies.

Classes#

ContextDependency()

Provide a per-request context as a FastAPI dependency.

RequestContext(request, ip_address, config, ...)

Holds the incoming request and its surrounding context.

Variables#

context_dependency

The dependency that will return the per-request context.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.dependencies.context.ContextDependency, gafaelfawr.dependencies.context.RequestContext

gafaelfawr.dependencies.return_url Module#

FastAPI dependencies for checking the return URL.

Several API routes allow the caller to request a redirect back to a return URL given as a parameter. To avoid creating an open redirect, those return URLs must be located at the same hostname as the route being called. Provide several variations of a dependency to check this.

Functions#

parsed_redirect_uri([redirect_uri, context])

Validate a return URL in a redirect_uri parameter.

return_url([rd, context])

Validate a return URL in an rd parameter.

return_url_with_header([rd, ...])

Validate a return URL in an rd parameter or header.

gafaelfawr.exceptions Module#

Exceptions for Gafaelfawr.

Classes#

DuplicateTokenNameError(message)

The user tried to reuse the name of a token.

ExternalUserInfoError(message[, user, failed_at])

Error in external user information source.

FetchKeysError(message, *[, failed_at, ...])

Cannot retrieve the keys from an issuer.

FirestoreError(message[, user, failed_at])

An error occurred while reading or updating Firestore data.

FirestoreNotInitializedError(message[, ...])

Firestore has not been initialized.

ForgeRockError(message[, user, failed_at])

An error occurred querying ForgeRock Identity Management.

ForgeRockWebError(message, *[, failed_at, ...])

An HTTP error occurred querying ForgeRock Identity Management.

GitHubError(message[, user, failed_at])

The response from GitHub for a request was invalid.

GitHubWebError(message, *[, failed_at, ...])

A web request to GitHub failed.

InputValidationError(message[, location, ...])

Represents an input validation error.

InsufficientScopeError

The provided token does not have the right authorization scope.

InvalidClientError

The provided client_id and client_secret could not be validated.

InvalidCSRFError(message)

Invalid or missing CSRF token.

InvalidCursorError(message)

The provided cursor was invalid.

InvalidDelegateToError(message)

The delegate_to parameter was set to an invalid value.

InvalidExpiresError(message)

The provided token expiration time was invalid.

InvalidGrantError

The provided authorization code is not valid.

InvalidIPAddressError(message)

The provided IP address has invalid syntax.

InvalidMinimumLifetimeError(message)

The minimum_lifetime parameter was set to an invalid value.

InvalidRequestError

The provided Authorization header could not be parsed.

InvalidReturnURLError(message, field)

Client specified an unsafe return URL.

InvalidScopesError(message)

The provided token scopes are invalid or not available.

InvalidTokenClaimsError(message[, user, ...])

One of the claims in the token is of an invalid format.

InvalidTokenError

The provided token was invalid.

KubernetesError([_TemporaryError__msg, delay])

An error occurred during Kubernetes secret processing.

KubernetesObjectError(kind, name, namespace, exc)

A Kubernetes object could not be parsed.

LDAPError(message[, user, failed_at])

User or group information in LDAP was invalid or LDAP calls failed.

MissingGIDClaimError(message[, user, failed_at])

The token is missing the required GID claim.

MissingUIDClaimError(message[, user, failed_at])

The token is missing the required UID claim.

MissingUsernameClaimError(message[, user, ...])

The token is missing the required username claim.

NoAvailableGidError(message[, user, failed_at])

The assigned UID space has been exhausted.

NoAvailableUidError(message[, user, failed_at])

The assigned UID space has been exhausted.

NotConfiguredError(message[, location, ...])

The requested operation was not configured.

NotFoundError(message[, location, field_path])

The named resource does not exist.

OAuthError

An OAuth-related error occurred.

OAuthBearerError

An error that can be returned as a WWW-Authenticate challenge.

OIDCError(message[, user, failed_at])

Response from the OpenID Connect provider was invalid or an error.

OIDCNotEnrolledError(message[, user, failed_at])

The user is not enrolled in the upstream OpenID Connect provider.

OIDCWebError(message, *[, failed_at, ...])

A web request to the OpenID Connect provider failed.

PermissionDeniedError(message[, location, ...])

The user does not have permission to perform this operation.

ProviderError(message[, user, failed_at])

Something failed while talking to an authentication provider.

ProviderWebError(message, *[, failed_at, ...])

A web request to an authentication provider failed.

UnauthorizedClientError

The client is not authorized to request an authorization code.

UnknownAlgorithmError(message[, user, failed_at])

The issuer key was for an unsupported algorithm.

UnknownKeyIdError(message[, user, failed_at])

The reqeusted key ID was not found for an issuer.

UnsupportedGrantTypeError

The grant type is not supported.

VerifyTokenError(message[, user, failed_at])

Base exception class for failure in verifying a token.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.exceptions.DuplicateTokenNameError, gafaelfawr.exceptions.ExternalUserInfoError, gafaelfawr.exceptions.FetchKeysError, gafaelfawr.exceptions.FirestoreError, gafaelfawr.exceptions.FirestoreNotInitializedError, gafaelfawr.exceptions.ForgeRockError, gafaelfawr.exceptions.ForgeRockWebError, gafaelfawr.exceptions.GitHubError, gafaelfawr.exceptions.GitHubWebError, gafaelfawr.exceptions.InputValidationError, gafaelfawr.exceptions.InsufficientScopeError, gafaelfawr.exceptions.InvalidClientError, gafaelfawr.exceptions.InvalidCSRFError, gafaelfawr.exceptions.InvalidCursorError, gafaelfawr.exceptions.InvalidDelegateToError, gafaelfawr.exceptions.InvalidExpiresError, gafaelfawr.exceptions.InvalidGrantError, gafaelfawr.exceptions.InvalidIPAddressError, gafaelfawr.exceptions.InvalidMinimumLifetimeError, gafaelfawr.exceptions.InvalidRequestError, gafaelfawr.exceptions.InvalidReturnURLError, gafaelfawr.exceptions.InvalidScopesError, gafaelfawr.exceptions.InvalidTokenClaimsError, gafaelfawr.exceptions.InvalidTokenError, gafaelfawr.exceptions.KubernetesError, gafaelfawr.exceptions.KubernetesObjectError, gafaelfawr.exceptions.LDAPError, gafaelfawr.exceptions.MissingGIDClaimError, gafaelfawr.exceptions.MissingUIDClaimError, gafaelfawr.exceptions.MissingUsernameClaimError, gafaelfawr.exceptions.NoAvailableGidError, gafaelfawr.exceptions.NoAvailableUidError, gafaelfawr.exceptions.NotConfiguredError, gafaelfawr.exceptions.NotFoundError, gafaelfawr.exceptions.OAuthError, gafaelfawr.exceptions.OAuthBearerError, gafaelfawr.exceptions.OIDCError, gafaelfawr.exceptions.OIDCNotEnrolledError, gafaelfawr.exceptions.OIDCWebError, gafaelfawr.exceptions.PermissionDeniedError, gafaelfawr.exceptions.ProviderError, gafaelfawr.exceptions.ProviderWebError, gafaelfawr.exceptions.UnauthorizedClientError, gafaelfawr.exceptions.UnknownAlgorithmError, gafaelfawr.exceptions.UnknownKeyIdError, gafaelfawr.exceptions.UnsupportedGrantTypeError, gafaelfawr.exceptions.VerifyTokenError

gafaelfawr.factory Module#

Create Gafaelfawr components.

Classes#

Factory(context, session, logger)

Build Gafaelfawr components.

ProcessContext(config, http_client, ...)

Per-process application context.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.factory.Factory, gafaelfawr.factory.ProcessContext

gafaelfawr.keypair Module#

RSA key pair handling.

Classes#

RSAKeyPair(private_key)

An RSA key pair with some simple helper functions.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.keypair.RSAKeyPair

gafaelfawr.middleware.state Module#

State cookie management.

Classes#

BaseState()

Base class for state information stored in a cookie.

StateMiddleware(app, *, cookie_name, state_class)

Middleware to read and update an encrypted state cookie.

Variables#

T

Type of data stored in the state cookie.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.middleware.state.BaseState, gafaelfawr.middleware.state.StateMiddleware

gafaelfawr.models.admin Module#

Representation of a token administrator.

Classes#

Admin

A token administrator.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.models.admin.Admin

gafaelfawr.models.auth Module#

Representation of authentication-related data.

Classes#

APIConfig

Configuration information for the API.

APILoginResponse

Response to an API login request.

AuthChallenge(auth_type, realm)

Represents a WWW-Authenticate header for a simple challenge.

AuthError(value[, names, module, qualname, ...])

Valid authentication errors for a WWW-Authenticate header.

AuthErrorChallenge(auth_type, realm, error, ...)

Represents a WWW-Authenticate header for an error challenge.

AuthType(value[, names, module, qualname, ...])

Authentication types for the WWW-Authenticate header.

Satisfy(value[, names, module, qualname, ...])

Authorization strategies.

Scope

A known token scope.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.models.auth.APIConfig, gafaelfawr.models.auth.APILoginResponse, gafaelfawr.models.auth.AuthChallenge, gafaelfawr.models.auth.AuthError, gafaelfawr.models.auth.AuthErrorChallenge, gafaelfawr.models.auth.AuthType, gafaelfawr.models.auth.Satisfy, gafaelfawr.models.auth.Scope

gafaelfawr.models.history Module#

Representation of a token or admin history event.

Classes#

AdminChange(value[, names, module, ...])

Type of change made to a token admin.

AdminHistoryEntry

A record of a change to the token administrators.

HistoryCursor(time, id[, previous])

Pagination cursor for history entries.

PaginatedHistory(entries, count[, ...])

Encapsulates paginated history entries with pagination information.

TokenChange(value[, names, module, ...])

Type of change made to a token.

TokenChangeHistoryEntry

A record of a change to a token.

Variables#

E

Type of a history entry in a paginated list.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.models.history.AdminChange, gafaelfawr.models.history.AdminHistoryEntry, gafaelfawr.models.history.HistoryCursor, gafaelfawr.models.history.PaginatedHistory, gafaelfawr.models.history.TokenChange, gafaelfawr.models.history.TokenChangeHistoryEntry

gafaelfawr.models.kubernetes Module#

Models for Kubernetes operators.

Classes#

GafaelfawrIngress

Representation of a GafaelfawrIngress resource.

GafaelfawrIngressConfig

Configuration settings for an ingress using Gafaelfawr for auth.

GafaelfawrIngressDelegate

Configuration for delegated tokens requested for a service.

GafaelfawrIngressDelegateInternal

Configuration for a delegated internal token.

GafaelfawrIngressDelegateNotebook

Configuration for a delegated notebook token.

GafaelfawrIngressMetadata

Metadata used to create an Ingress object.

GafaelfawrIngressPath

A path routing rule for an ingress.

GafaelfawrIngressPathBackend

Backend that serves a given path.

GafaelfawrIngressPathService

Service that serves a given path.

GafaelfawrIngressRule

A routing rule for an ingress.

GafaelfawrIngressRuleHTTP

Routing rules for HTTP access.

GafaelfawrIngressScopesAll

Represents scopes where all scopes are required.

GafaelfawrIngressScopesAnonymous

Represents anonymous access.

GafaelfawrIngressScopesAny

Represents scopes where any scope is sufficient.

GafaelfawrIngressScopesBase

Base class for specifying the required scopes.

GafaelfawrIngressSpec

Template for spec portion of Ingress resource.

GafaelfawrIngressTLS

A TLS certificate rule for an ingress.

GafaelfawrIngressTemplate

Template for Ingress created from GafaelfawrIngress resource.

GafaelfawrServicePortName

Port for a service.

GafaelfawrServicePortNumber

Port for a service.

GafaelfawrServiceToken

Representation of a GafaelfawrServiceToken resource.

GafaelfawrServiceTokenSpec

Holds the spec section of a GafaelfawrServiceToken resource.

KubernetesMetadata

The metadata section of a Kubernetes resource.

KubernetesResource

A Kubernetes resource being processed by an operator.

KubernetesResourceStatus(message, ...[, ...])

Represents the processing status of a Kubernetes resource.

PathType(value[, names, module, qualname, ...])

Matching types for paths in ingress rules.

StatusReason(value[, names, module, ...])

Reason for the status update of a GafaelfawrServiceToken.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.models.kubernetes.GafaelfawrIngress, gafaelfawr.models.kubernetes.GafaelfawrIngressConfig, gafaelfawr.models.kubernetes.GafaelfawrIngressDelegate, gafaelfawr.models.kubernetes.GafaelfawrIngressDelegateInternal, gafaelfawr.models.kubernetes.GafaelfawrIngressDelegateNotebook, gafaelfawr.models.kubernetes.GafaelfawrIngressMetadata, gafaelfawr.models.kubernetes.GafaelfawrIngressPath, gafaelfawr.models.kubernetes.GafaelfawrIngressPathBackend, gafaelfawr.models.kubernetes.GafaelfawrIngressPathService, gafaelfawr.models.kubernetes.GafaelfawrIngressRule, gafaelfawr.models.kubernetes.GafaelfawrIngressRuleHTTP, gafaelfawr.models.kubernetes.GafaelfawrIngressScopesAll, gafaelfawr.models.kubernetes.GafaelfawrIngressScopesAnonymous, gafaelfawr.models.kubernetes.GafaelfawrIngressScopesAny, gafaelfawr.models.kubernetes.GafaelfawrIngressScopesBase, gafaelfawr.models.kubernetes.GafaelfawrIngressSpec, gafaelfawr.models.kubernetes.GafaelfawrIngressTLS, gafaelfawr.models.kubernetes.GafaelfawrIngressTemplate, gafaelfawr.models.kubernetes.GafaelfawrServicePortName, gafaelfawr.models.kubernetes.GafaelfawrServicePortNumber, gafaelfawr.models.kubernetes.GafaelfawrServiceToken, gafaelfawr.models.kubernetes.GafaelfawrServiceTokenSpec, gafaelfawr.models.kubernetes.KubernetesMetadata, gafaelfawr.models.kubernetes.KubernetesResource, gafaelfawr.models.kubernetes.KubernetesResourceStatus, gafaelfawr.models.kubernetes.PathType, gafaelfawr.models.kubernetes.StatusReason

gafaelfawr.models.ldap Module#

Data models for LDAP.

Classes#

LDAPUserData([name, email, uid, gid])

Data for a user from LDAP.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.models.ldap.LDAPUserData

gafaelfawr.models.oidc Module#

Representation of data for OpenID Connect support.

Classes#

JWK

The schema for a JSON Web Key (RFCs 7517 and 7518).

JWKS

Schema for the /.well-known/jwks.json endpoint.

OIDCAuthorization

Represents an authorization for an OpenID Connect client.

OIDCAuthorizationCode

An OpenID Connect authorization code.

OIDCConfig

Schema for the /.well-known/openid-configuration endpoint.

OIDCToken

Holds an encoded JWT.

OIDCVerifiedToken

Holds a verified JWT.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.models.oidc.JWK, gafaelfawr.models.oidc.JWKS, gafaelfawr.models.oidc.OIDCAuthorization, gafaelfawr.models.oidc.OIDCAuthorizationCode, gafaelfawr.models.oidc.OIDCConfig, gafaelfawr.models.oidc.OIDCToken, gafaelfawr.models.oidc.OIDCVerifiedToken

gafaelfawr.models.state Module#

Representation of Gafaelfawr state stored in a cookie.

This is the Gafaelfawr version of ~gafaelfawr.middleware.state.BaseState, used by the ~gafaelfawr.middleware.state.StateMiddleware middleware. It holds the data that Gafaelfawr stores in a session cookie.

Classes#

State([csrf, token, github, return_url, state])

State information stored in a cookie.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.models.state.State

gafaelfawr.models.token Module#

Representation of an authentication token and associated data.

Classes#

AdminTokenRequest

A request to create a new token via the admin interface.

NewToken

Response to a token creation request.

NotebookQuota

Notebook Aspect quota information for a user.

Quota

Quota information for a user.

Token

An opaque token.

TokenBase

Base information about a token common to several representations.

TokenData

Data about a token stored in Redis.

TokenGroup

Information about a single group.

TokenInfo

Information about a token returned by the token-info endpoint.

TokenType(value[, names, module, qualname, ...])

The class of token.

TokenUserInfo

The information about a user stored with their token.

UserTokenRequest

The parameters of a user token that are under the user's control.

UserTokenModifyRequest

The parameters of a user token that can be changed.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.models.token.AdminTokenRequest, gafaelfawr.models.token.NewToken, gafaelfawr.models.token.NotebookQuota, gafaelfawr.models.token.Quota, gafaelfawr.models.token.Token, gafaelfawr.models.token.TokenBase, gafaelfawr.models.token.TokenData, gafaelfawr.models.token.TokenGroup, gafaelfawr.models.token.TokenInfo, gafaelfawr.models.token.TokenType, gafaelfawr.models.token.TokenUserInfo, gafaelfawr.models.token.UserTokenRequest, gafaelfawr.models.token.UserTokenModifyRequest

gafaelfawr.operator Package#

Kubernetes operator framework.

This module imports all of the handlers for Gafaelfawr’s Kubernetes operator and serves as an entry point for Kopf.

gafaelfawr.operator.ingress Module#

Kubernetes operator handlers for GafaelfawrIngress.

Functions#

create(name, namespace, body, memo, **_)

Handle creation or modiication of a GafaelfawrIngress object.

gafaelfawr.operator.startup Module#

Kubernetes operator startup and shutdown.

Functions#

startup(memo, settings, **_)

Initialize global data for Kubernetes operators.

shutdown(memo, **_)

Shut down a running Kubernetes operator.

gafaelfawr.operator.tokens Module#

Kubernetes operator handlers for GafaelfawrServiceTokens.

Functions#

create(name, namespace, body, memo, **_)

Handle creation or modification of a GafaelfawrServiceToken object.

periodic(name, namespace, body, memo, **_)

Periodically re-check all GafaelfawrServiceToken objects.

gafaelfawr.providers.base Module#

Base class for authentication providers.

Classes#

Provider()

Abstract base class for authentication providers.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.providers.base.Provider

gafaelfawr.providers.github Module#

GitHub authentication provider.

Classes#

GitHubProvider(*, config, http_client, logger)

Authenticate a user with GitHub.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.providers.github.GitHubProvider

gafaelfawr.providers.oidc Module#

OpenID Connect authentication provider.

Classes#

OIDCProvider(*, config, verifier, ...)

Authenticate a user with GitHub.

OIDCTokenVerifier(config, http_client, logger)

Verify a JWT issued by an OpenID Connect provider.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.providers.oidc.OIDCProvider, gafaelfawr.providers.oidc.OIDCTokenVerifier

gafaelfawr.services.admin Module#

Manage the configured token administrators.

Classes#

AdminService(admin_store, ...)

Manage the token administrators.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.services.admin.AdminService

gafaelfawr.services.firestore Module#

UID/GID assignment using Firestore.

Classes#

FirestoreService(*, uid_cache, gid_cache, ...)

Manage UID and GID assignments using Firestore.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.services.firestore.FirestoreService

gafaelfawr.services.kubernetes Module#

Manage Kubernetes secrets.

Classes#

KubernetesIngressService(storage, logger)

Manage Ingress resources with Gafaelfawr annotations.

KubernetesTokenService(*, token_service, ...)

Manage Gafaelfawr service tokens stored in Kubernetes secrets.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.services.kubernetes.KubernetesIngressService, gafaelfawr.services.kubernetes.KubernetesTokenService

gafaelfawr.services.ldap Module#

LDAP lookups for user information.

Classes#

LDAPService(*, ldap, group_cache, ...)

Perform LDAP lookups for user information.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.services.ldap.LDAPService

gafaelfawr.services.oidc Module#

OpenID Connect identity provider support.

Classes#

OIDCService(*, config, authorization_store, ...)

Minimalist OpenID Connect identity provider.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.services.oidc.OIDCService

gafaelfawr.services.token Module#

Manage tokens.

Classes#

TokenService(*, config, token_cache, ...)

Manage tokens.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.services.token.TokenService

gafaelfawr.services.token_cache Module#

Cache for internal and notebook tokens.

Classes#

TokenCacheService(*, config, internal_cache, ...)

Manage cache internal and notebook tokens.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.services.token_cache.TokenCacheService

gafaelfawr.services.userinfo Module#

Service and caching layer for user metadata.

Classes#

OIDCUserInfoService(*, config, ldap, ...)

Retrieve user metadata from external systems for OIDC authentication.

UserInfoService(*, config, ldap, firestore, ...)

Retrieve user metadata from external systems.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.services.userinfo.OIDCUserInfoService, gafaelfawr.services.userinfo.UserInfoService

gafaelfawr.storage.admin Module#

Storage for token administrators.

Classes#

AdminStore(session)

Stores and retrieves token administrators.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.storage.admin.AdminStore

gafaelfawr.storage.firestore Module#

Firestore storage layer for Gafaelfawr.

Classes#

FirestoreStorage(config, logger)

Google Firestore storage layer.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.storage.firestore.FirestoreStorage

gafaelfawr.storage.forgerock Module#

ForgeRock Identity Management storage layer for Gafaelfawr.

Classes#

ForgeRockStorage(*, config, http_client, logger)

Perform ForgeRock Identity Management lookups.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.storage.forgerock.ForgeRockStorage

gafaelfawr.storage.history Module#

Storage for change and authentication history.

Classes#

AdminHistoryStore(session)

Stores and retrieves the history of changes to token administrators.

TokenChangeHistoryStore(session)

Stores and retrieves the history of changes to tokens.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.storage.history.AdminHistoryStore, gafaelfawr.storage.history.TokenChangeHistoryStore

gafaelfawr.storage.kubernetes Module#

Kubernetes storage layer for Gafaelfawr.

Classes#

KubernetesIngressStorage(api_client, logger)

Kubernetes storage layer for ingress objects.

KubernetesTokenStorage(api_client, logger)

Kubernetes storage layer for service token objects.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.storage.kubernetes.KubernetesIngressStorage, gafaelfawr.storage.kubernetes.KubernetesTokenStorage

gafaelfawr.storage.ldap Module#

LDAP storage layer for Gafaelfawr.

Classes#

LDAPStorage(config, pool, logger)

LDAP storage layer.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.storage.ldap.LDAPStorage

gafaelfawr.storage.oidc Module#

Storage for OpenID Connect authorizations.

Classes#

OIDCAuthorizationStore(storage)

Stores and retrieves OpenID Connect authorizations.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.storage.oidc.OIDCAuthorizationStore

gafaelfawr.storage.token Module#

Storage for tokens.

Classes#

TokenDatabaseStore(session)

Stores and manipulates tokens in the database.

TokenRedisStore(storage, slack_client, logger)

Stores and retrieves token data in Redis.

Class Inheritance Diagram#

Inheritance diagram of gafaelfawr.storage.token.TokenDatabaseStore, gafaelfawr.storage.token.TokenRedisStore

gafaelfawr.templates Module#

Templated responses.

Since the primary UI is provided by JavaScript, these are generally used only for error messages.

Variables#

templates

The template manager.

gafaelfawr.util Module#

General utility functions.

Functions#

add_padding(encoded)

Add padding to base64 encoded bytes.

base64_to_number(data)

Convert base64-encoded bytes to an integer.

is_bot_user(username)

Return whether the given username is a bot user.

normalize_ip_address(v)

Pydantic validator for IP address fields.

normalize_scopes(v)

Pydantic validator for scope fields.

normalize_timedelta(v)

Pydantic validator for timedelta fields.

number_to_base64(data)

Convert an integer to base64-encoded bytes in big endian order.

random_128_bits()

Generate random 128 bits encoded in base64 without padding.